AZ-700 questions

Prévia do material em texto

Microsoft AZ-700 Exam Actual Questions 
The questions for AZ-700 were last updated at Dec 15, 2021. 
62 questions + 56 MS Learn Questions 
Topic 1 - Question Set 1 
Question #1Topic 1 
Your company has a single on-premises datacenter in New York. The East US Azure region has a 
peering location in New York. 
The company only has Azure resources in the East US region. 
You need to implement ExpressRoute to support up to 1 Gbps. You must use only ExpressRoute 
Unlimited data plans. The solution must minimize costs. 
Which type of ExpressRoute circuits should you create? 
 A. ExpressRoute Local 
 B. ExpressRoute Direct 
 C. ExpressRoute Premium 
 D. ExpressRoute Standard 
Correct Answer: A 
Reference: 
https://azure.microsoft.com/en-us/pricing/details/expressroute/ 
Question #2Topic 1 
You are planning an Azure Point-to-Site (P2S) VPN that will use OpenVPN. 
Users will authenticate by an on-premises Active Directory domain. 
Which additional service should you deploy to support the VPN authentication? 
 A. an Azure key vault 
 B. a RADIUS server 
 C. a certification authority 
 D. Azure Active Directory (Azure AD) Application Proxy 
Correct Answer: B 
Reference: Point-to-site authentication methods - Native Azure certificate and Active Directory (It 
requires a RADIUS server that integrates with the AD server) 
https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about 
Question #3Topic 1 
You plan to configure BGP for a Site-to-Site VPN connection between a datacenter and Azure. 
Which two Azure resources should you configure? Each correct answer presents a part of the 
solution. (Choose two.) 
NOTE: Each correct selection is worth one pgoint. 
 A. a virtual network gateway 
 B. Azure Application Gateway 
 C. Azure Firewall 
 D. a local network gateway 
 E. Azure Front Door 
Correct Answer: AD 
Reference: 
https://docs.microsoft.com/en-us/azure/vpn-gateway/bgp-howto 
Question #4Topic 1 
You fail to establish a Site-to-Site VPN connection between your company's main office and an 
Azure virtual network. 
You need to troubleshoot what prevents you from establishing the IPsec tunnel. 
Which diagnostic log should you review? 
 A. IKEDiagnosticLog 
 B. RouteDiagnosticLog 
 C. GatewayDiagnosticLog 
 D. TunnelDiagnosticLog 
Correct Answer: A 
Reference: 
https://docs.microsoft.com/en-us/azure/vpn-gateway/troubleshoot-vpn-with-azure-diagnostics 
IKEDiagnosticLog = The IKEDiagnosticLog table offers verbose debug logging for IKE/IPsec. This 
is very useful to review when troubleshooting disconnections, or failure to connect VPN scenarios. 
Topic 2 - Question Set 2 
Question #1Topic 2 
You have two Azure virtual networks named Vnet1 and Vnet2. 
You have a Windows 10 device named Client1 that connects to Vnet1 by using a Point-to-Site (P2S) 
IKEv2 VPN. 
You implement virtual network peering between Vnet1 and Vnet2. Vnet1 allows gateway transit. 
Vnet2 can use the remote gateway. 
You discover that Client1 cannot communicate with Vnet2. 
You need to ensure that Client1 can communicate with Vnet2. 
Solution: You reset the gateway of Vnet1. 
Does this meet the goal? 
 A. Yes 
 B. No 
Correct Answer: B 
The VPN client must be downloaded again if any changes are made to VNet peering or the network 
topology. 
Reference: 
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing 
Question #2Topic 2 
You have two Azure virtual networks named Vnet1 and Vnet2. 
You have a Windows 10 device named Client1 that connects to Vnet1 by using a Point-to-Site (P2S) 
IKEv2 VPN. 
You implement virtual network peering between Vnet1 and Vnet2. Vnet1 allows gateway transit. 
Vnet2 can use the remote gateway. 
You discover that Client1 cannot communicate with Vnet2. 
You need to ensure that Client1 can communicate with Vnet2. 
Solution: You enable BGP on the gateway of Vnet1. 
Does this meet the goal? 
 A. Yes 
 B. No 
Correct Answer: B 
The VPN client must be downloaded again if any changes are made to VNet peering or the network 
topology. 
Reference: 
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing 
Question #3Topic 2 
HOTSPOT - 
You have an Azure environment shown in the following exhibit. 
 
Use the drop-down menus to select the answer choice that completes each statement based on 
the information presented in the graphic. 
NOTE: Each correct selection is worth one point. 
Hot Area: 
 
Correct Answer: 
 
Reference: 
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-
transit?toc=/azure/virtual-network/toc.json 
Question #4Topic 2 
You plan to deploy Azure virtual network. 
You need to design the subnets. 
Which three types of resources require a dedicated subnet? Each correct answer presents a 
complete solution. 
NOTE: Each correct selection is worth one point. 
 A. Azure Bastion 
 B. Azure Active Directory Domain Services 
 C. Azure Private Link 
 D. Azure Application Gateway v2 
 E. VPN gateway 
Correct Answer: ADE 
Reference: 
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-for-azure-services 
Question #5Topic 2 
HOTSPOT - 
You have an Azure private DNS zone named contoso.com that is linked to the virtual networks 
shown in the following table. 
 
The links have auto registration enabled. 
You create the virtual machines shown in the following table. 
 
You manually add the following entry to the contoso.com zone: 
✑ Name: VM1 
IP address: 10.1.10.9 - 
 
For each of the following statements, select Yes of the statement is true. Otherwise, select No. 
NOTE: Each correct selection is worth one point. 
Hot Area: 
 
Correct Answer: 
 
Box 1: No - 
The manual DNS record will overwrite the auto-registered DNS record so VM1 will resolve to 
10.1.10.9. 
 
Box 2: No - 
The DNS record for VM1 is now a manually created record rather than an auto-registered record. 
Only auto-registered DNS records are deleted when a VM is deleted. 
 
Box 3: No - 
This answer depends on how the IP address is changed. To change the IP address of a VM 
manually, you would need to select Static as the IP address assignment. In this case, the DNS 
record will not be updated because only DHCP assigned IP addresses are auto-registered. 
Reference: 
https://docs.microsoft.com/en-us/azure/dns/dns-faq-private 
Question #6Topic 2 
HOTSPOT - 
Your company has an Azure virtual network named Vnet1 that uses an IP address space of 
192.168.0.0/20. Vnet1 contains a subnet named Subnet1 that uses an 
IP address space of 192.168.0.0/24. 
You create an IPv6 address range to Vnet1 by using a CIDR suffix of /48. 
You need to enable the virtual machines on Subnet1 to communicate with each other by using IPv6 
addresses assigned by the company. The solution must minimize the number of additional IPv4 
addresses. 
What should you do? To answer, select the appropriate options in the answer area. 
NOTE: Each correct selection is worth one point. 
Hot Area: 
 
Correct Answer: 
 
Reference: 
https://docs.microsoft.com/en-us/azure/virtual-network/ipv6-overview 
https://docs.microsoft.com/en-us/azure/virtual-network/ipv6-add-to-existing-vnet-powershell 
1) Correct: /64 
Explanation: The subnets for IPv6 must be exactly /64 in size. This ensures future compatibility 
should you decide to enable routing of the subnet to an on-premises network since some routers 
can only accept /64 IPv6 routes. 
Source: https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/ipv6-overview 
2) Correct: Public IPv6 Address 
Explanation: Add IPv6 configuration to NIC. "Configure all of the VM NICs with an IPv6 address 
using Add-AzNetworkInterfaceIpConfig" 
Source: 
https://docs.microsoft.com/en-us/azure/load-balancer/ipv6-add-to-existing-vnet-powershell 
 
Question #7Topic 2 
HOTSPOT - 
You plan to deploy Azure Virtual WAN. 
You need to deploy a virtual WAN hub that meets the following requirements: 
✑ Supports 10 sites that will connect to the virtual WANhub by using a Site-to-Site VPN 
connection 
✑ Supports 8 Gbps of ExpressRoute traffic 
✑ Minimizes costs 
What should you configure? To answer, select the appropriate options in the answer area. 
NOTE: Each correct selection is worth one point. 
Hot Area: 
 
Correct Answer: 
 
Reference: 
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about 
Basic virtual WAN supports Site-to-site VPN only 
Standard virtual WAN supports 
ExpressRoute 
User VPN (P2S) 
VPN (site-to-site) 
Inter-hub and VNet-to-VNet transiting through the virtual hub 
Azure Firewall 
NVA in a virtual WAN 
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about 
-------- 
8G/2G = 4 
Express Route Scale Units and Connectivity: Similar in concept to VPN scale units, customers 
seeking to deploy Express Route connectivity into their Virtual WAN Hubs will incur costs for the 
scale units provisioned in that hub, with options ranging from 1 to 10 with each representing 
2Gbps of ER throughput. 
https://www.wwt.com/article/microsoft-azure-virtual-wan-cloud-networking-architecture 
 
What are Virtual WAN gateway scale units? 
 
A scale unit is a unit defined to pick an aggregate throughput of a gateway in Virtual hub. 1 scale 
unit of VPN = 500 Mbps. 1 scale unit of ExpressRoute = 2 Gbps. Example: 10 scale unit of VPN 
would imply 500 Mbps * 10 = 5 Gbps 
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-faq#what-are-virtual-wan-
gateway-scale-units 
 
Question #8Topic 2 
DRAG DROP - 
You have an Azure subscription that contains the resources shown in the following table. 
 
The IP Addresses settings for Vnet1 are configured as shown in the exhibit. 
 
You need to ensure that you can integrate WebApp1 and Vnet1. 
Which three actions should you perform in sequence before you can integrate WebApp1 and 
Vnet1? To answer, move the appropriate actions from the list of actions to the answer area and 
arrange them in the correct order. 
Select and Place: 
 
Correct Answer: 
 
Reference: 
https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet#gateway-
required-vnet-integration 
Answer is correct, it talks about cross region vent integration. 
Service endpoint is for regional or same region virtual network integration. 
Private endpoint is to use private DNS integration. 
 
Question #9Topic 2 
DRAG DROP - 
You have two Azure virtual networks named Hub1 and Spoke1. Hub1 connects to an on-premises 
network by using a Site-to-Site VPN connection. 
You are implementing peering between Hub1 and Spoke1. 
You need to ensure that a virtual machine connected to Spoke1 can connect to the on-premises 
network through Hub1. 
How should you complete the PowerShell script? To answer, drag the appropriate values to the 
correct targets. Each value may be used once, more than once, or not at all. You may need to drag 
the split bar between panes or scroll to view content. 
NOTE: Each correct selection is worth one point. 
Select and Place: 
 
Correct Answer: 
 
Reference: 
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-
networking/hub-spoke?tabs=cli#virtual-network-peering 
-AllowGatewayTransit 
Select Use this virtual network's gateway or Route Server: 
- If you have a virtual network gateway attached to this virtual network and want to allow traffic 
from the peered virtual network to flow through the gateway. 
-UseremoteGateways 
Select Use the remote virtual network gateway or Route Server: 
- If you want to allow traffic from this virtual network to flow through a virtual network gateway 
attached to the virtual network you're peering with. 
 
Box1: Hub told spoke to use hub's VPN gateway to reach on-premise network 
Box2: Spoke told hub to use hub's VPN gateway to reach on-premise network 
 
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering 
 
Question #10Topic 2 
DRAG DROP - 
You have three on-premises sites. Each site has a third-party VPN device. 
You have an Azure virtual WAN named VWAN1 that has a hub named Hub1. Hub1 connects two of 
the three on-premises sites by using a Site-to-Site VPN connection. 
You need to connect the third site to the other two sites by using Hub1. 
Which four actions should you perform in sequence? To answer, move the appropriate actions 
from the list of actions to the answer area and arrange them in the correct order. 
Select and Place: 
 
Correct Answer: 
 
Reference: 
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal 
Question #11Topic 2 
HOTSPOT - 
You are planning an Azure solution that will contain the following types of resources in a single 
Azure region: 
✑ Virtual machine 
✑ Azure App Service 
✑ Virtual Network gateway 
✑ Azure SQL Managed Instance 
App Service and SQL Managed Instance will be delegated to create resources in virtual networks. 
You need to identify how many virtual networks and subnets are required for the solution. The 
solution must minimize costs to transfer data between virtual networks. 
What should you identify? To answer, select the appropriate options in the answer area. 
NOTE: Each correct selection is worth one point. 
Hot Area: 
 
Correct Answer: 
 
Reference: 
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-for-azure-
services#services-that-can-be-deployed-into-a-virtual-network 
Question #12Topic 2 
You have two Azure virtual networks named Vnet1 and Vnet2. 
You have a Windows 10 device named Client1 that connects to Vnet1 by using a Point-to-Site (P2S) 
IKEv2 VPN. 
You implement virtual network peering between Vnet1 and Vnet2. Vnet1 allows gateway transit. 
Vnet2 can use the remote gateway. 
You discover that Client1 cannot communicate with Vnet2. 
You need to ensure that Client1 can communicate with Vnet2. 
Solution: You download and reinstall the VPN client configuration. 
Does this meet the goal? 
 A. Yes 
 B. No 
Correct Answer: A 
The VPN client must be downloaded again if any changes are made to VNet peering or the network 
topology. 
Reference: 
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing 
Topic 3 - Question Set 3 
Question #1Topic 3 
HOTSPOT - 
You have an Azure subscription that contains the route tables and routes shown in the following 
table. 
 
The subscription contains the subnets shown in the following table. 
 
The subscription contains the virtual machines shown in the following table. 
 
There is a Site-to-Site VPN connection to each local network gateway. 
For each of the following statements, select Yes of the statement is true. Otherwise, select No. 
NOTE: Each correct selection is worth one point. 
Hot Area: 
 
Correct Answer: 
 
Reference: 
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview 
Question #2Topic 3 
You have an Azure subscription that contains the public IP addresses shown in the following table. 
 
You plan to deploy a NAT gateway named NAT1. 
Which public IP addresses can be used as the public IP address for NAT1? 
 A. IP3 only 
 B. IP5 only 
 C. IP2 and IP4 only 
 D. IP1, IP3 and IP5 only 
 E. IP3 and IP5 only 
Correct Answer: A 
Only static IPv4 addresses in the Standard SKU are supported. IPv6 doesnt support NAT. 
Reference: 
https://docs.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-overview 
Question #3Topic 3 
You have an Azure application gateway named AGW1 that has a routing rule named Rule1. Rule 1 
directs traffic for http://www.contoso.com to a backend pool named Pool1. Pool1 targets an 
Azure virtual machine scale set named VMSS1. 
You deploy another virtual machine scale set named VMSS2. 
You need to configure AGW1 to direct all traffic for http://www.adatum.com to VMSS2. 
The solution must ensure that requests to http://www.contoso.com continue to be directed to 
Pool1. 
Which three actions should you perform? Each correct answer presents part of the solution. 
NOTE: Eachcorrect selection is worth one point. 
 A. Add a backend pool. 
 B. Modify an HTTP setting. 
 C. Add an HTTP setting. 
 D. Add a listener. 
 E. Add a rule. 
Correct Answer: ADE 
Reference: 
https://docs.microsoft.com/en-us/azure/application-gateway/configuration-overview 
Question #4Topic 3 
HOTSPOT - 
You have an Azure Traffic Manager parent profile named TM1. TM1 has two child profiles named 
TM2 and TM3. 
TM1 uses the performance traffic-routing method and has the endpoints shown in the following 
table. 
 
TM2 uses the weighted traffic-routing method with MinChildEndpoint = 2 and has the endpoints 
shown in the following table. 
 
TM3 uses priority traffic-routing method and has the endpoints shown in the following table. 
 
The App2, App4, and App6 endpoints have a degraded monitoring status. 
To which endpoint is traffic directed? To answer, select the appropriate options in the answer area. 
NOTE: Each correct selection is worth one point 
Hot Area: 
 
Correct Answer: 
 
Reference: 
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-nested-profiles 
Traffic from West Europe: 
Based on TM1 table, West Europe will trigger TM2. However, as the MinChildEndpoint is set to 2, 
and App4 is degraded (down), the entire TM2 will not be considered available. 
This goes back to the origin TM1 that uses performance traffic-routing method, which means the 
closest location is App1 and naturally be the next best performance instance. 
Hence, Answer = App1 
 
Traffic from West US: 
Based on TM1 table, West US will trigger TM3. However, both App2 and App6 were degraded 
(down), so none of them can be considered. 
This goes back to the original TM1 that uses performance traffic-routing method, from TM1, the 
other 2 US locations would be App2 and App3. But App2 we know it's already degraded 
(unavailable), hence the only option would be App3. Answer = App3 
 
Question #5Topic 3 
You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled. 
You configure the application gateway to direct traffic to the URL of the application gateway. 
You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and 
discover the following error. 
 
You need to ensure that the URL is accessible through the application gateway. 
Solution: You add a rewrite rule for the host header. 
Does this meet the goal? 
 A. Yes 
 B. No 
Correct Answer: B 
 
Question #6Topic 3 
HOTSPOT - 
You have an Azure Front Door instance that provides access to a web app. The web app uses a 
hostname of www.contoso.com. 
You have the routing rules shown in the following table. 
 
Which rule will apply to each incoming request? To answer, select the appropriate options in the 
answer area. 
NOTE: Each correct selection is worth one point 
Hot Area: 
 
Correct Answer: 
 
Reference: 
https://docs.microsoft.com/en-us/azure/frontdoor/front-door-route-matching 
Question #7Topic 3 
You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled. 
You configure the application gateway to direct traffic to the URL of the application gateway. 
You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and 
discover the following error. 
 
You need to ensure that the URL is accessible through the application gateway. 
Solution: You disable the WAF rule that has a rule Id 920300. 
Does this meet the goal? 
 A. Yes 
 B. No 
Correct Answer: A 
 
Question #8Topic 3 
You have an Azure subscription that contains an Azure App Service app. The app uses a URL of 
https://www.contoso.com . You need to use a custom domain on Azure Front Door for 
www.contoso.com. The custom domain must use a certificate from an allowed certification 
authority (CA). 
What should you include in the solution? 
 A. an enterprise application in Azure Active Directory (Azure AD) 
 B. Active Directory Certificate Services (AD CS) 
 C. Azure Key Vault 
 D. Azure Application Gateway 
Correct Answer: C 
Reference: 
https://docs.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain-https 
https://docs.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain-https#option-2-use-
your-own-certificate 
Question #9Topic 3 
You have an Azure application gateway for a web app named App1. The application gateway 
allows end-to-end encryption. 
You configure the listener for HTTPS by uploading an enterprise-signed certificate. 
You need to ensure that the application gateway can provide end-to-end encryption for App1. 
What should you do? 
 A. Increase the Unhealthy threshold setting in the custom probe. 
 B. Enable the SSL profile to the listener. 
 C. Set Listener type to Multi site. 
 D. Upload the public key certificate to the HTTP settings. 
Correct Answer: D 
Reference: 
Since the cx is using an enterprise cert which is not a public certificate that can check publicly, he 
needs to upload the root cert(.cer) on the HTTPS settings to help the AppGW recognize App1 in the 
backend. 
https://docs.microsoft.com/en-us/azure/application-gateway/end-to-end-ssl-portal 
Question #10Topic 3 
HOTSPOT - 
You have an Azure virtual network named Vnet1 that contains two subnets named Subnet1 and 
Subnet2. 
You have the NAT gateway shown in the NATgateway1 exhibit. 
 
You have the virtual machine shown in the VM1 exhibit. 
 
Subnet1 is configured as shown in the Subnet1 exhibit. 
 
For each of the following statements, select Yes of the statement is true. Otherwise, select No. 
NOTE: Each correct selection is worth one point. 
Hot Area: 
 
Correct Answer: - Yes / No / No - Narender Singh 
 
 
Reference: 
https://docs.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-gateway-resource 
1 Yes: According to this section "https://docs.microsoft.com/en-us/azure/virtual-network/nat-
gateway/nat-gateway-resource#cross-zone-outbound-scenarios-not-supported" you will not 
achieve zone redundancy with that setup, but it will work "While the scenario will appear to work, 
its health model and failure mode is undefined from an availability zone point of view. 
2 No: NAT GW has configured only 1 subnet and in Subnet1 Config you can clearly see that it is 
linked to NatGateway1. This is possible because subnets are not a zonal construct, i.e. not 
assigned to a zone. The VM is zonal, but thats another topic. 
3 No: As already stated, there's a prefix assigned, not a single pub IP. NAT gateway is using public 
IP prefixes. The minimum prefix is /31 or 2 IPs, so it could use different IPs while accessing 
Internet. 
 
Question #11Topic 3 
You have an Azure application gateway named AppGW1 that balances requests to a web app 
named App1. 
You need to modify the server variables in the response header of App1. 
What should you configure on AppGW1? 
 A. HTTP settings 
 B. rewrites 
 C. rules 
 D. listeners 
Correct Answer: B 
Reference: 
Application Gateway allows you to add, remove, or update HTTP request and response headers 
while the request and response packets move between the client and back-end pools. 
https://docs.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-url 
Question #12Topic 3 
You have an Azure Virtual Desktop deployment that has 500 session hosts. 
All outbound traffic to the internet uses a NAT gateway. 
During peak business hours. some users report that they cannot access internet resources. In 
Azure Monitor, you discover many failed SNAT connections. 
You need to increase the available SNAT connections. 
What should you do? 
 A. Bind the NAT gateway to another subnet. 
 B. Add a public IP address. 
 C. Deploy Azure Standard Load Balancer that has outbound rules. 
Correct Answer: B 
Reference: 
Evaluate if SNAT port exhaustion should be mitigated with additional IP addresses assigned to 
NAT gateway resource. 
https://docs.microsoft.com/en-us/azure/virtual-network/nat-gateway/troubleshoot-nat#snat-
exhaustion 
https://docs.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-gateway-resourceQuestion #13Topic 3 
You have an Azure subscription that contains the public IPv4 addresses shown in the following 
table. 
 
You plan to create a load balancer named LB1 that will have the following settings: 
✑ Name: LB1 
✑ Location: West US 
✑ Type: Public 
✑ SKU: Standard 
Which public IPv4 addresses can be used by LB1? 
 A. IP1, IP3, IP4, and IP5 only 
 B. IP3 only 
 C. IP1 and IP3 only 
 D. IP2 only 
 E. IP1, IP2, IP3, IP4, and IP5 
 F. IP3 and IP5 only 
Correct Answer: F 
Reference: 
To assign front IP for load balancer, two conditions need to be matched, SKU and location. From 
above, SKU is standard, and region is West US. 
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-public-ip-address 
Question #14Topic 3 
You have the Azure environment shown in the exhibit. 
 
VM1 is a virtual machine that has an instance-level public IP address (ILPIP). 
Basic Load Balancer uses a public IP address. VM1 and VM2 are in the backend pool. 
NAT Gateway uses a public IP address named IP3 that is associated to SubnetA. 
VNet1 has a virtual network gateway that has a public IP address named IP4. 
When initiating outbound traffic to the internet from VM1, which public address is used? 
 A. IP3 
 B. IP2 
 C. IP1 
 D. IP4 
Correct Answer: A – Narender Singh 
Inbound: VM with instance-level public IP address (ILPIP). 
Outbound: NAT gateway 
https://docs.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-gateway-resource#nat-
and-vm-with-instance-level-public-ip-and-public-load-balancer 
Question #15Topic 3 
You are configuring two network virtual appliances (NVAs) in an Azure virtual network. The NVAs 
will be used to inspect all the traffic within the virtual network. 
You need to provide high availability for the NVAs. The solution must minimize administrative 
effort. 
What should you include in the solution? 
 A. Azure Standard Load Balancer 
 B. Azure Application Gateway 
 C. Azure Traffic Manager 
 D. Azure Front Door 
Correct Answer: A 
Reference: 
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/dmz/nva-
ha?tabs=cli 
Question #16Topic 3 
You have five virtual machines that run Windows Server. Each virtual machine hosts a different 
web app. 
You plan to use an Azure application gateway to provide access to each web app by using a 
hostname of www.contoso.com and a different URL path for each web app, for example: 
https://www.contoso.com/app1 . 
You need to control the flow of traffic based on the URL path. 
What should you configure? 
 A. HTTP settings 
 B. listeners 
 C. rules 
 D. rewrites 
Correct Answer: C 
Reference: - URL path rules for routing to /app1 and /app2 etc. 
https://docs.microsoft.com/en-us/azure/application-gateway/url-route-overview 
Question #17Topic 3 
You plan to publish a website that will use an FQDN of www.contoso.com The website will be 
hosted by using the Azure App Service apps shown in the following table. 
 
You plan to use Azure Traffic Manager to manage the routing of traffic for www.contoso.com 
between AS1 and AS2. 
You need to ensure that Traffic Manager routes traffic for www.contoso.com . 
Which DNS record should you create? 
 A. two A records that map www.contoso.com to 131.107.100.1 and 131.107.200.1 
 B. a CNAME record that map www.contoso.com to TMprofile1.azurefd.net 
 C. a CNAME record that map www.contoso.com to TMprofile1.trafficmanager.net 
 D. a TXT record that contains a string of as1.contoso.com and as2.contoso.com in the 
details 
Correct Answer: C 
Reference: 
Only CNAME records are supported when you configure a domain name using the Traffic Manager 
endpoint. Because A records are not supported, a root domain mapping, such as contoso.com is 
also not supported. 
https://docs.microsoft.com/en-us/azure/traffic-manager/quickstart-create-traffic-manager-profile 
https://docs.microsoft.com/en-us/azure/app-service/configure-domain-traffic-manager 
 
Question #18Topic 3 
You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled. 
You configure the application gateway to direct traffic to the URL of the application gateway. 
You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and 
discover the following error. 
 
You need to ensure that the URL is accessible through the application gateway. 
Solution: You create a WAF policy exclusion for request headers that contain 137.135.10.24. 
Does this meet the goal? 
 A. Yes 
 B. No 
Correct Answer: B 
 
Topic 4 - Question Set 4 
Question #1Topic 4 
You have an Azure virtual network that contains the subnets shown in the following table. 
 
You deploy an Azure firewall to AzureFirewallSubnet. You route all traffic from Subnet2 through the 
firewall. 
You need to ensure that all the hosts on Subnet2 can access an external site located at 
https://*.contoso.com 
What should you do? 
 A. In a firewall policy, create a DNAT rule. 
 B. Create a network security group (NSG) and associate the NSG to Subnet2. 
 C. In a firewall policy, create a network rule. 
 D. In a firewall policy, create an application rule. 
Correct Answer: D 
Reference: 
 Application rules that define fully qualified domain names (FQDNs) that can be accessed 
from a subnet. 
 Network rules that define source address, protocol, destination port, and destination 
address. 
https://docs.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal 
Question #2Topic 4 
You have an Azure Web Application Firewall (WAF) policy in prevention mode that is associated to 
an Azure Front Door instance. 
You need to configure the policy to meet the following requirements: 
✑ Log all connections from Australia. 
✑ Deny all connections from New Zealand. 
✑ Deny all further connections from a network of 131.107.100.0/24 if there are more than 100 
connections during one minute. 
What is the minimum number of objects you should create? 
 A. three custom rules that each has one condition 
 B. one custom rule that has three conditions 
 C. one custom rule that has one condition 
 D. one rule that has two conditions and another rule that has one condition 
Correct Answer: A 
Reference: All 3 requirements have different conditions and actions. 
https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/afds-overview 
Question #3Topic 4 
You have an Azure subscription that contains multiple virtual machines in the West US Azure 
region. 
You need to use Traffic Analytics. 
Which two resources should you create? Each correct answer presents part of the solution. 
(Choose two.) 
NOTE: 
Each correct answer selection is worth one point. 
 A. an Azure Monitor workbook 
 B. a Log Analytics workspace 
 C. a storage account 
 D. an Azure Sentinel workspace 
 E. an Azure Monitor data collection rule 
Correct Answer: BC 
Reference: 
1- A Network Watcher enabled subscription. 
2- Network Security Group (NSG) flow logs enabled for the NSGs you want to monitor. 
3- An Azure Storage account, to store raw flow logs. 
4- An Azure Log Analytics workspace, with read and write access. 
So according to 3&4, B and C is correct answer. 
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics 
Question #4Topic 4 
HOTSPOT - 
You have an Azure subscription that contains the virtual machines shown in the following table. 
 
Subnet1 and Subnet2 are associated to a network security group (NSG) named NSG1 that has the 
following outbound rule: 
✑ Priority: 100 
✑ Port: Any 
✑ Protocol: Any 
✑ Source: Any 
✑ Destination: Storage 
✑ Action: Deny 
You create a private endpoint that has the following settings: 
✑ Name: Private1 
✑ Resource type: Microsoft.Storage/storageAccounts 
✑ Resource: storage1 
✑ Target sub-resource: blob 
✑ Virtual network: Vnet1 
✑ Subnet: Subnet1 
For each of the following statements, select Yes of the statement is true. Otherwise, select No. 
NOTE: Each correct selection is worth one point. 
Hot Area:Correct Answer: - Narender Singh 
 
 
Reference: 
https://docs.microsoft.com/en-us/azure/private-link/disable-private-endpoint-network-policy 
Yes, Yes, Yes 
NSG rules applied to the subnet hosting the private endpoint are not applied to the private 
endpoint. So the NSG1 doesn't limit storage access from either VM1 or VM2. 
https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints#network-
security-group-rules-for-subnets-with-private-endpoints 
 
Question #5Topic 4 
HOTSPOT - 
You have an Azure firewall shown in the following exhibit. 
 
Use the drop-down menus to select the answer choice that completes each statement based on 
the information presented in the graphic. 
NOTE: Each correct selection is worth one point. 
Hot Area: 
 
Correct Answer: 
 
Box 1: 
If forced tunneling was enabled, the Firewall Subnet would be named 
AzureFirewallManagementSubnet. Forced tunneling can only be enabled during the creation of the 
firewall. It cannot be enabled after the firewall has been deployed. 
Box 2: 
The “Visit Azure Firewall Manager to configure and manage this firewall” link in the exhibit shows 
that the firewall is managed by Azure Firewall Manager. 
Question #6Topic 4 
You have a hybrid environment that uses ExpressRoute to connect an on-premises network and 
Azure. 
You need to log the uptime and the latency of the connection periodically by using an Azure virtual 
machine and an on-premises virtual machine. 
What should you use? 
 A. Azure Monitor 
 B. IP flow verify 
 C. Connection Monitor 
 D. Azure Internet Analyzer 
Correct Answer: C 
Reference: 
https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor 
Question #7Topic 4 
You have an Azure subscription that contains the following resources: 
✑ A virtual network named Vnet1 
✑ Two subnets named subnet1 and AzureFirewallSubnet 
✑ A public Azure Firewall named FW1 
✑ A route table named RT1 that is associated to Subnet1 
✑ A rule routing of 0.0.0.0/0 to FW1 in RT1 
After deploying 10 servers that run Windows Server to Subnet1, you discover that none of the 
virtual machines were activated. 
You need to ensure that the virtual machines can be activated. 
What should you do? 
 A. On FW1, create an outbound service tag rule for AzureCloud. 
 B. On FW1, create an outbound network rule that allows traffic to the Azure Key 
Management Service (KMS). 
 C. Deploy a NAT gateway. 
 D. To Subnet1, associate a network security group (NSG) that allows outbound access to 
port 1688. 
Correct Answer: B 
Reference: 
When you use Force tunneling, then for Windows activation traffic should be allowed for Azure 
KMS Servers. Either the way mentioned in Option B or you add UDR to point Internet for KMS 
outbound traffic. 
https://ryanmangansitblog.com/2020/05/11/firewall-considerations-windows-virtual-desktop-wvd/ 
 
Question #8Topic 4 
HOTSPOT - 
You have an Azure application gateway named AppGW1 that provides access to the following 
hosts: 
✑ www.adatum.com 
✑ www.contoso.com 
✑ www.fabrikam.com 
AppGW1 has the listeners shown in the following table. 
 
You create Azure Web Application Firewall (WAF) policies for AppGW1 as shown in the following 
table. 
 
For each of the following statements, select Yes of the statement is true. Otherwise, select No. 
NOTE: Each correct selection is worth one point. 
Hot Area: 
 
Correct Answer: 
 
Reference: 
https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/per-site-policies 
Question #9Topic 4 
You have an Azure virtual network that contains a subnet named Subnet1. Subnet1 is associated to 
a network security group (NSG) named NSG1. NSG1 blocks all outbound traffic that is not allowed 
explicitly. 
Subnet1 contains virtual machines that must communicate with the Azure Cosmos DB service. 
You need to create an outbound security rule in NSG1 to enable the virtual machines to connect to 
Azure Cosmos DB. 
What should you include in the solution? 
 A. a service tag 
 B. a private endpoint 
 C. a subnet delegation 
 D. an application security group 
Correct Answer: A 
Reference: You can use service tags to define network access controls on network security groups 
or Azure Firewall. 
https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview 
Topic 5 - Question Set 5 
Question #1Topic 5 
HOTSPOT - 
You have the Azure App Service app shown in the App Service exhibit. 
 
The VNet Integration settings for as12 are configured as shown in the Vnet Integration exhibit. 
 
The Private Endpoint connections settings for as12 are configured as shown in the Private 
Endpoint connections exhibit. 
 
For each of the following statements, select Yes of the statement is true. Otherwise, select No. 
NOTE: Each correct selection is worth one point. 
Hot Area: 
 
Correct Answer: 
 
Reference: 
https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet 
Question #2Topic 5 
DRAG DROP - 
You have an Azure virtual network named Vnet1 that connects to an on-premises network. 
You have an Azure Storage account named storageaccount1 that contains blob storage. 
You need to configure a private endpoint for the blob storage. The solution must meet the 
following requirements: 
✑ Ensure that all on-premises users can access storageaccount1 through the private endpoint. 
✑ Prevent access to storageaccount1 from being interrupted. 
Which four actions should you perform in sequence? To answer, move the appropriate actions 
from the list of actions to the answer area and arrange them in the correct order. 
Select and Place: 
 
Correct Answer: 
 
168.63.129.16 is the IP address of Azure DNS which hosts Azure Private DNS zones. It is only 
accessible from within a VNet which is why we need to forward on-prem DNS requests to the VM 
running DNS in the VNet. The VM will then forward the request to Azure DNS for the IP of the 
storage account private endpoint. 
Reference: 
https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints 
Question #3Topic 5 
You have an Azure virtual network named Vnet1 that has one subnet. Vnet1 is in the West Europe 
Azure region. 
You deploy an Azure App Service app named App1 to the West Europe region. 
You need to provide App1 with access to the resources in Vnet1. The solution must minimize 
costs. 
What should you do first? 
 A. Create a private link. 
 B. Create a gateway subnet and deploy a virtual network gateway. 
 C. Create a NAT gateway. 
 D. Create a new subnet. 
Correct Answer: D 
Reference: 
D since resources are in the same region (Regional VNet Integration), new subnet does not incur 
cost. The VPN Gateway solution incurs a cost (Gateway-required VNet Integration...When you 
connect directly to VNet in other regions or to a classic virtual network in the same region, you 
need an Azure Virtual Network gateway provisioned in the target VNet.) 
https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet 
 
Question #4Topic 5 
You have an Azure subscription that is linked to an Azure Active Directory (Azure AD) tenant 
named contoso.onmicrosoft.com. The subscription contains the following resources: 
✑ An Azure App Service app named App1 
✑ An Azure DNS zone named contoso.com 
✑ An Azure private DNS zone named private.contoso.com 
✑ A virtual network named Vnet1 
You create a private endpoint for App1. The record for the endpoint is registered automatically in 
Azure DNS. 
You need to provide a developer with the name that is registered in Azure DNS for the private 
endpoint. 
What should you provide? 
 A. app1.contoso.onmicrosoft.com 
 B. app1.private.contoso.com 
 C. app1.privatelink.azurewebsites.net 
 D. app1.contoso.com 
Correct Answer: C 
When you use Private Endpoint for Web App, the requested URL must match the name of your Web 
App. 
By default, mywebappname.azurewebsites.net. 
By default, without Private Endpoint, the public name of your web app is a canonical name to the 
cluster.For example, the name resolution will be: 
DNS Name Type Value 
mywebapp.azurewebsites.net CNAME clustername.azurewebsites.windows.net 
clustername.azurewebsites.windows.net CNAME cloudservicename.cloudapp.net 
cloudservicename.cloudapp.net A 40.122.110.154 
When you deploy a Private Endpoint, we update the DNS entry to point to the canonical name 
mywebapp.privatelink.azurewebsites.net. 
For example, the name resolution will be: 
DNS Name Type Value Remark 
mywebapp.azurewebsites.net CNAME mywebapp.privatelink.azurewebsites.net 
mywebapp.privatelink.azurewebsites.net CNAME clustername.azurewebsites.windows.net 
clustername.azurewebsites.windows.net CNAME cloudservicename.cloudapp.net 
cloudservicename.cloudapp.net A 40.122.110.154 
https://docs.microsoft.com/en-us/azure/app-service/networking/private-endpoint 
Hence answer is C 
 
Topic 6 - Testlet 1 
Question #1Topic 6 
Introductory Info 
Case Study - 
 
Overview - 
Litware, Inc. is a financial company that has a main datacenter in Boston and 20 branch offices 
across the United States. Users have Android, iOS, and Windows 
10 devices. 
 
Existing Environment - 
 
Hybrid Environment - 
The on-premises network contains an Active Directory forest named litwareinc.com that syncs to 
an Azure Active Directory (Azure AD) tenant named litwareinc.com by using Azure AD Connect. 
All offices connect to a virtual network named Vnet1 by using a Site-to-Site VPN connection. 
 
Azure Environment - 
Litware has an Azure subscription named Sub1 that is linked to the litwareinc.com Azure AD 
tenant. Sub1 contains resources in the East US Azure region as shown in the following table. 
 - “Missing Image” 
There is bidirectional peering between Vnet1 and Vnet2. There is bidirectional peering between 
Vnet1 and Vnet3. Currently, Vnet2 and Vnet3 cannot communicate directly. 
 
Requirements - 
 
Business Requirements - 
Litware wants to minimize costs whenever possible, as long as all other requirements are met. 
 
Virtual Networking Requirements - 
Litware identifies the following virtual networking requirements: 
Direct the default route of 0.0.0.0/0 on Vnet2 and Vnet3 to the Boston datacenter over an 
ExpressRoute circuit. 
Ensure that the records in the cloud.litwareinc.com can be resolved from the on-premises 
locations. 
 
Automatically register the DNS names of Azure virtual machines to the cloud.litwareinc.com zone. 
Minimize the size of the subnets allocated to platform-managed services. 
Allow traffic from VMScaleSet1 to VMScaleSet2 on the TCP port 443 only. 
 
Hybrid Networking Requirements - 
Litware identifies the following hybrid networking requirements: 
Users must be able to connect to Vnet1 by using a Point-to-Site (P2S) VPN when working remotely. 
Connections must be authenticated by Azure AD. 
Latency of the traffic between the Boston datacenter and all the virtual networks must be 
minimized. 
The Boston datacenter must connect to the Azure virtual networks by using an ExpressRoute 
FastPath connection. 
Traffic between Vnet2 and Vnet3 must be routed through Vnet1. 
 
PaaS Networking Requirements - 
Litware identifies the following networking requirements for platform as a service (PaaS): 
The storage1 account must be accessible from all on-premises locations without exposing the 
public endpoint of storage1. 
The storage2 account must be accessible from Vnet2 and Vnet3 without exposing the public 
endpoint of storage2. 
Question 
HOTSPOT - 
You need to recommend a configuration for the ExpressRoute connection from the Boston 
datacenter. The solution must meet the hybrid networking requirements and business 
requirements. 
What should you recommend? To answer, select the appropriate options in the answer area. 
NOTE: Each correct selection is worth one point. 
Hot Area: 
 
Correct Answer: 
 
Ultra-performance is correct:- For Express Route Fast Path virtual network gateway must be either: 
Ultra Performance or ErGw3AZ 
https://docs.microsoft.com/en-us/azure/expressroute/about-fastpath#gateways 
2nd Answer correct:- Gateway transit allows you to share an ExpressRoute or VPN gateway with all 
peered VNets and lets you manage the connectivity in one place. Sharing enables cost-savings and 
reduction in management overhead. 
Topic 7 - Testlet 2 
Question #1Topic 7 
Introductory Info 
Case Study - Overview - 
Contoso, Ltd. is a consulting company that has a main office in San Francisco and a branch office 
in Dallas. 
Contoso recently purchased an Azure subscription and is performing its first pilot project in Azure. 
 
Existing Environment - 
 
Azure Network Infrastructure - 
Contoso has an Azure Active Directory (Azure AD) tenant named contoso.com. 
The Azure subscription contains the virtual networks shown in the following table. 
 
Vnet1 contains a virtual network gateway named GW1. 
 
Azure Virtual Machines - 
The Azure subscription contains virtual machines that run Windows Server 2019 as shown in the 
following table. 
 
The NSGs are associated to the network interfaces on the virtual machines. Each NSG has one 
custom security rule that allows RDP connections from the internet. The firewall on each virtual 
machine allows ICMP traffic. 
An application security group named ASG1 is associated to the network interface of VM1. 
 
Azure Private DNS Zones - 
The Azure subscription contains the Azure private DNS zones shown in the following table. 
 
Zone1.contoso.com has the virtual network links shown in the following table. 
 
 
Other Azure Resources - 
The Azure subscription contains additional resources as shown in the following table. 
 
 
Requirements - 
 
Virtual Network Requirements - 
Contoso has the following virtual network requirements: 
Create a virtual network named Vnet6 in West US that will contain the following resources and 
configurations: 
- Two container groups that connect to Vnet6 
- Three virtual machines that connect to Vnet6 
- Allow VPN connections to be established to Vnet6 
- Allow the resources in Vnet6 to access KeyVault1, DB1, and Vnet1 over the Microsoft backbone 
network. 
The virtual machines in Vnet4 and Vnet5 must be able to communicate over the Microsoft 
backbone network. 
A virtual machine named VM-Analyze will be deployed to Subnet1. VM-Analyze must inspect the 
outbound network traffic from Subnet2 to the internet. 
 
Network Security Requirements - 
Contoso has the following network security requirements: 
Configure Azure Active Directory (Azure AD) authentication for Point-to-Site (P2S) VPN users. 
Enable NSG flow logs for NSG3 and NSG4. 
Create an NSG named NSG10 that will be associated to Vnet1/Subnet1 and will have the custom 
inbound security rules shown in the following table. 
 
Create an NSG named NSG11 that will be associated to Vnet1/Subnet2 and will have the custom 
outbound security rules shown in the following table. 
 
Question 
You need to configure GW1 to meet the network security requirements for the P2S VPN users. 
Which Tunnel type should you select in the Point-to-site configuration settings of GW1? 
 A. IKEv2 and OpenVPN (SSL) 
 B. IKEv2 
 C. IKEv2 and SSTP (SSL) 
 D. OpenVPN (SSL) 
 E. SSTP (SSL) 
Correct Answer: D 
Reference: Answer is correct, D. 
OpenVPN (SSL) There is a catch in the requirement, "Configure Azure Active Directory (Azure AD) 
authentication for Point-to-Site (P2S) VPN users." Native Azure AD authentication is only supported 
for OpenVPN protocol and Windows 10 and requires the use of the Azure VPN Client. 
https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about#authenticate-using-
native-azure-active-directory-authentication 
https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant 
Topic 8 - Testlet 3 
Question #1Topic 8 
Introductory Info 
Case Study - Overview - 
Contoso, Ltd. is a consulting company that has a main office in San Francisco and a branch office 
in Dallas. 
Contoso recently purchased an Azure subscription and is performing its first pilot project in Azure.Existing Environment - 
 
Azure Network Infrastructure - 
Contoso has an Azure Active Directory (Azure AD) tenant named contoso.com. 
The Azure subscription contains the virtual networks shown in the following table. 
 
Vnet1 contains a virtual network gateway named GW1. 
 
Azure Virtual Machines - 
The Azure subscription contains virtual machines that run Windows Server 2019 as shown in the 
following table. 
 
The NSGs are associated to the network interfaces on the virtual machines. Each NSG has one 
custom security rule that allows RDP connections from the internet. The firewall on each virtual 
machine allows ICMP traffic. 
An application security group named ASG1 is associated to the network interface of VM1. 
 
Azure Private DNS Zones - 
The Azure subscription contains the Azure private DNS zones shown in the following table. 
 
Zone1.contoso.com has the virtual network links shown in the following table. 
 
 
Other Azure Resources - 
The Azure subscription contains additional resources as shown in the following table. 
 
 
Requirements - 
 
Virtual Network Requirements - 
Contoso has the following virtual network requirements: 
Create a virtual network named Vnet6 in West US that will contain the following resources and 
configurations: 
- Two container groups that connect to Vnet6 
- Three virtual machines that connect to Vnet6 
- Allow VPN connections to be established to Vnet6 
- Allow the resources in Vnet6 to access KeyVault1, DB1, and Vnet1 over the Microsoft backbone 
network. 
The virtual machines in Vnet4 and Vnet5 must be able to communicate over the Microsoft 
backbone network. 
A virtual machine named VM-Analyze will be deployed to Subnet1. VM-Analyze must inspect the 
outbound network traffic from Subnet2 to the internet. 
 
Network Security Requirements - 
Contoso has the following network security requirements: 
Configure Azure Active Directory (Azure AD) authentication for Point-to-Site (P2S) VPN users. 
Enable NSG flow logs for NSG3 and NSG4. 
Create an NSG named NSG10 that will be associated to Vnet1/Subnet1 and will have the custom 
inbound security rules shown in the following table. 
 
Create an NSG named NSG11 that will be associated to Vnet1/Subnet2 and will have the custom 
outbound security rules shown in the following table. 
 
Question 
HOTSPOT - 
Which virtual machines can VM1 and VM4 ping successfully? To answer, select the appropriate 
options in the answer area. 
NOTE: Each correct selection is worth one point. 
Hot Area: 
 
Correct Answer: 
 
Box 1: VM2, VM3 and VM4. 
VM1 is in VNet1/Subnet1. VNet1 is peered with VNet2 and VNet3. 
There are no NSGs blocking outbound ICMP from VNet1. There are no NSGs blocking inbound 
ICMP to VNet1/Subnet2, VNet2 or VNet3. Therefore, VM1 can ping VM2 in VNet1/Subnet2, VM3 in 
VNet2 and VM4 in VNet3. 
Box 2: 
VM4 is in VNet3. VNet3 is peered with VNet1 and VNet2. There are no NSGs blocking outbound 
ICMP from VNet3. There are no NSGs blocking inbound ICMP to VNet1/Subnet1, VNet1/Subnet2 or 
VNet2 from VNet3 (NSG10 blocks inbound ICMP from VNet4 but not from VNet3). Therefore, VM4 
can ping VM1 in VNet1/ 
Subnet1, VM2 in VNet1/Subnet2 and VM3 in VNet2. 
Question #2Topic 8 
Introductory Info 
Case Study - Overview - 
Contoso, Ltd. is a consulting company that has a main office in San Francisco and a branch office 
in Dallas. 
Contoso recently purchased an Azure subscription and is performing its first pilot project in Azure. 
 
Existing Environment - 
 
Azure Network Infrastructure - 
Contoso has an Azure Active Directory (Azure AD) tenant named contoso.com. 
The Azure subscription contains the virtual networks shown in the following table. 
 
Vnet1 contains a virtual network gateway named GW1. 
 
Azure Virtual Machines - 
The Azure subscription contains virtual machines that run Windows Server 2019 as shown in the 
following table. 
 
The NSGs are associated to the network interfaces on the virtual machines. Each NSG has one 
custom security rule that allows RDP connections from the internet. The firewall on each virtual 
machine allows ICMP traffic. 
An application security group named ASG1 is associated to the network interface of VM1. 
 
Azure Private DNS Zones - 
The Azure subscription contains the Azure private DNS zones shown in the following table. 
 
Zone1.contoso.com has the virtual network links shown in the following table. 
 
 
Other Azure Resources - 
The Azure subscription contains additional resources as shown in the following table. 
 
 
Requirements - 
 
Virtual Network Requirements - 
Contoso has the following virtual network requirements: 
Create a virtual network named Vnet6 in West US that will contain the following resources and 
configurations: 
- Two container groups that connect to Vnet6 
- Three virtual machines that connect to Vnet6 
- Allow VPN connections to be established to Vnet6 
- Allow the resources in Vnet6 to access KeyVault1, DB1, and Vnet1 over the Microsoft backbone 
network. 
The virtual machines in Vnet4 and Vnet5 must be able to communicate over the Microsoft 
backbone network. 
A virtual machine named VM-Analyze will be deployed to Subnet1. VM-Analyze must inspect the 
outbound network traffic from Subnet2 to the internet. 
 
Network Security Requirements - 
Contoso has the following network security requirements: 
Configure Azure Active Directory (Azure AD) authentication for Point-to-Site (P2S) VPN users. 
Enable NSG flow logs for NSG3 and NSG4. 
Create an NSG named NSG10 that will be associated to Vnet1/Subnet1 and will have the custom 
inbound security rules shown in the following table. 
 
Create an NSG named NSG11 that will be associated to Vnet1/Subnet2 and will have the custom 
outbound security rules shown in the following table. 
 
Question 
What should you implement to meet the virtual network requirements for the virtual machines that 
connect to Vnet4 and Vnet5? 
 A. a private endpoint 
 B. a routing table 
 C. a service endpoint 
 D. a private link service 
 E. a virtual network peering 
Correct Answer: E 
There is no virtual network peering between VM4s VNet (VNet3) and VM5s VNet (VNet4). To 
enable the VMs to communicate over the Microsoft backbone network a VNet peering is required 
between VNet3 and VNet4. 
Topic 9 - Testlet 4 
Question #1Topic 9 
Introductory Info 
Case Study - Overview - 
Litware, Inc. is a financial company that has a main datacenter in Boston and 20 branch offices 
across the United States. Users have Android, iOS, and Windows 
10 devices. 
 
Existing Environment - 
 
Hybrid Environment - 
The on-premises network contains an Active Directory forest named litwareinc.com that syncs to 
an Azure Active Directory (Azure AD) tenant named litwareinc.com by using Azure AD Connect. 
All offices connect to a virtual network named Vnet1 by using a Site-to-Site VPN connection. 
 
Azure Environment - 
Litware has an Azure subscription named Sub1 that is linked to the litwareinc.com Azure AD 
tenant. Sub1 contains resources in the East US Azure region as shown in the following table. 
 
There is bidirectional peering between Vnet1 and Vnet2. There is bidirectional peering between 
Vnet1 and Vnet3. Currently, Vnet2 and Vnet3 cannot communicate directly. 
 
Requirements - 
 
Business Requirements - 
Litware wants to minimize costs whenever possible, as long as all other requirements are met. 
 
Virtual Networking Requirements - 
Litware identifies the following virtual networking requirements: 
Direct the default route of 0.0.0.0/0 on Vnet2 and Vnet3 to the Boston datacenter over an 
ExpressRoute circuit. 
Ensure that the records in the cloud.litwareinc.com can be resolved from the on-premises 
locations. 
Automatically register the DNS names of Azure virtual machines to the cloud.litwareinc.com zone. 
Minimize the size of the subnets allocated to platform-managed services. 
Allow traffic from VMScaleSet1 to VMScaleSet2 on the TCP port 443 only. 
 
Hybrid Networking Requirements - 
Litware identifies the followinghybrid networking requirements: 
Users must be able to connect to Vnet1 by using a Point-to-Site (P2S) VPN when working remotely. 
Connections must be authenticated by Azure AD. 
Latency of the traffic between the Boston datacenter and all the virtual networks must be 
minimized. 
The Boston datacenter must connect to the Azure virtual networks by using an ExpressRoute 
FastPath connection. 
Traffic between Vnet2 and Vnet3 must be routed through Vnet1. 
 
PaaS Networking Requirements - 
Litware identifies the following networking requirements for platform as a service (PaaS): 
The storage1 account must be accessible from all on-premises locations without exposing the 
public endpoint of storage1. 
The storage2 account must be accessible from Vnet2 and Vnet3 without exposing the public 
endpoint of storage2. 
Question 
DRAG DROP - 
You need to implement outbound connectivity for VMScaleSet1. The solution must meet the virtual 
networking requirements and the business requirements. 
Which three actions should you perform in sequence? To answer, move the appropriate actions 
from the list of actions to the answer area and arrange them in the correct order. 
Select and Place: 
 
Correct Answer: 
 
Reference: 
https://docs.microsoft.com/en-us/azure/load-balancer/skus 
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-
connections#outboundrules 
Question #2Topic 9 
Introductory Info 
Case Study - Overview - 
Litware, Inc. is a financial company that has a main datacenter in Boston and 20 branch offices 
across the United States. Users have Android, iOS, and Windows 
10 devices. 
 
Existing Environment - 
 
Hybrid Environment - 
The on-premises network contains an Active Directory forest named litwareinc.com that syncs to 
an Azure Active Directory (Azure AD) tenant named litwareinc.com by using Azure AD Connect. 
All offices connect to a virtual network named Vnet1 by using a Site-to-Site VPN connection. 
 
Azure Environment - 
Litware has an Azure subscription named Sub1 that is linked to the litwareinc.com Azure AD 
tenant. Sub1 contains resources in the East US Azure region as shown in the following table. 
 
There is bidirectional peering between Vnet1 and Vnet2. There is bidirectional peering between 
Vnet1 and Vnet3. Currently, Vnet2 and Vnet3 cannot communicate directly. 
 
Requirements - 
 
Business Requirements - 
Litware wants to minimize costs whenever possible, as long as all other requirements are met. 
 
Virtual Networking Requirements - 
Litware identifies the following virtual networking requirements: 
Direct the default route of 0.0.0.0/0 on Vnet2 and Vnet3 to the Boston datacenter over an 
ExpressRoute circuit. 
Ensure that the records in the cloud.litwareinc.com can be resolved from the on-premises 
locations. 
Automatically register the DNS names of Azure virtual machines to the cloud.litwareinc.com zone. 
Minimize the size of the subnets allocated to platform-managed services. 
Allow traffic from VMScaleSet1 to VMScaleSet2 on the TCP port 443 only. 
 
Hybrid Networking Requirements - 
Litware identifies the following hybrid networking requirements: 
Users must be able to connect to Vnet1 by using a Point-to-Site (P2S) VPN when working remotely. 
Connections must be authenticated by Azure AD. 
Latency of the traffic between the Boston datacenter and all the virtual networks must be 
minimized. 
The Boston datacenter must connect to the Azure virtual networks by using an ExpressRoute 
FastPath connection. 
Traffic between Vnet2 and Vnet3 must be routed through Vnet1. 
 
PaaS Networking Requirements - 
Litware identifies the following networking requirements for platform as a service (PaaS): 
The storage1 account must be accessible from all on-premises locations without exposing the 
public endpoint of storage1. 
The storage2 account must be accessible from Vnet2 and Vnet3 without exposing the public 
endpoint of storage2. 
Question 
You need to configure the default route in Vnet2 and Vnet3. The solution must meet the virtual 
networking requirements. 
What should you use to configure the default route? 
 A. a user-defined route assigned to GatewaySubnet in Vnet2 and Vnet3 
 B. BGP route exchange 
 C. a user-defined route assigned to GatewaySubnet in Vnet1 
 D. route filters 
Correct Answer: B – Narender Singh 
Reference:- You cannot specify a virtual network gateway created as type ExpressRoute in a user-
defined route because with ExpressRoute, you must use BGP for custom routes 
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview 
https://docs.microsoft.com/en-us/azure/firewall/tutorial-hybrid-portal 
Question #1Topic 10 
Introductory Info 
Case Study - Overview - 
Contoso, Ltd. is a consulting company that has a main office in San Francisco and a branch office 
in Dallas. 
Contoso recently purchased an Azure subscription and is performing its first pilot project in Azure. 
 
Existing Environment - 
 
Azure Network Infrastructure - 
Contoso has an Azure Active Directory (Azure AD) tenant named contoso.com. 
The Azure subscription contains the virtual networks shown in the following table. 
 
Vnet1 contains a virtual network gateway named GW1. 
 
Azure Virtual Machines - 
The Azure subscription contains virtual machines that run Windows Server 2019 as shown in the 
following table. 
 
The NSGs are associated to the network interfaces on the virtual machines. Each NSG has one 
custom security rule that allows RDP connections from the internet. The firewall on each virtual 
machine allows ICMP traffic. 
An application security group named ASG1 is associated to the network interface of VM1. 
 
Azure Private DNS Zones - 
The Azure subscription contains the Azure private DNS zones shown in the following table. 
 
Zone1.contoso.com has the virtual network links shown in the following table. 
 
 
Other Azure Resources - 
The Azure subscription contains additional resources as shown in the following table. 
 
 
Requirements - 
 
Virtual Network Requirements - 
Contoso has the following virtual network requirements: 
Create a virtual network named Vnet6 in West US that will contain the following resources and 
configurations: 
- Two container groups that connect to Vnet6 
- Three virtual machines that connect to Vnet6 
- Allow VPN connections to be established to Vnet6 
- Allow the resources in Vnet6 to access KeyVault1, DB1, and Vnet1 over the Microsoft backbone 
network. 
The virtual machines in Vnet4 and Vnet5 must be able to communicate over the Microsoft 
backbone network. 
A virtual machine named VM-Analyze will be deployed to Subnet1. VM-Analyze must inspect the 
outbound network traffic from Subnet2 to the internet. 
 
Network Security Requirements - 
Contoso has the following network security requirements: 
Configure Azure Active Directory (Azure AD) authentication for Point-to-Site (P2S) VPN users. 
Enable NSG flow logs for NSG3 and NSG4. 
Create an NSG named NSG10 that will be associated to Vnet1/Subnet1 and will have the custom 
inbound security rules shown in the following table. 
 
Create an NSG named NSG11 that will be associated to Vnet1/Subnet2 and will have the custom 
outbound security rules shown in the following table. 
 
Question 
HOTSPOT - 
You are implementing the virtual network requirements for VM-Analyze. 
What should you include in a custom route that is linked to Subnet2? To answer, select the 
appropriate options in the answer area. 
NOTE: Each correct selection is worth one point. 
Hot Area: 
 
Correct Answer: 
 
Reference: 
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview 
Topic 11 - Testlet 6 
Question #1Topic 11 
Introductory Info 
Case Study - Overview - 
Contoso, Ltd. is a consulting company that has a main office in San Francisco and a branch office 
in Dallas. 
Contoso recently purchased an Azure subscription and is performing its first pilot project in Azure. 
 
Existing Environment - 
 
Azure NetworkInfrastructure - 
Contoso has an Azure Active Directory (Azure AD) tenant named contoso.com. 
The Azure subscription contains the virtual networks shown in the following table. 
 
Vnet1 contains a virtual network gateway named GW1. 
 
Azure Virtual Machines - 
The Azure subscription contains virtual machines that run Windows Server 2019 as shown in the 
following table. 
 
The NSGs are associated to the network interfaces on the virtual machines. Each NSG has one 
custom security rule that allows RDP connections from the internet. The firewall on each virtual 
machine allows ICMP traffic. 
An application security group named ASG1 is associated to the network interface of VM1. 
 
Azure Private DNS Zones - 
The Azure subscription contains the Azure private DNS zones shown in the following table. 
 
Zone1.contoso.com has the virtual network links shown in the following table. 
 
 
Other Azure Resources - 
The Azure subscription contains additional resources as shown in the following table. 
 
 
Requirements - 
 
Virtual Network Requirements - 
Contoso has the following virtual network requirements: 
Create a virtual network named Vnet6 in West US that will contain the following resources and 
configurations: 
- Two container groups that connect to Vnet6 
- Three virtual machines that connect to Vnet6 
- Allow VPN connections to be established to Vnet6 
- Allow the resources in Vnet6 to access KeyVault1, DB1, and Vnet1 over the Microsoft backbone 
network. 
The virtual machines in Vnet4 and Vnet5 must be able to communicate over the Microsoft 
backbone network. 
A virtual machine named VM-Analyze will be deployed to Subnet1. VM-Analyze must inspect the 
outbound network traffic from Subnet2 to the internet. 
 
Network Security Requirements - 
Contoso has the following network security requirements: 
Configure Azure Active Directory (Azure AD) authentication for Point-to-Site (P2S) VPN users. 
Enable NSG flow logs for NSG3 and NSG4. 
Create an NSG named NSG10 that will be associated to Vnet1/Subnet1 and will have the custom 
inbound security rules shown in the following table. 
 
Create an NSG named NSG11 that will be associated to Vnet1/Subnet2 and will have the custom 
outbound security rules shown in the following table. 
 
Question 
HOTSPOT - 
You create NSG10 and NSG11 to meet the network security requirements. 
For each of the following statements, select Yes of the statement is true. Otherwise, select No. 
NOTE: Each correct selection is worth one point. 
Hot Area: 
 
Correct Answer: 
 
 
Yes - Subnet1(WM1->NSG1 outbound->NSG10 outbound)->subnet2(NSG1 inbound->NSG11 
inbound->VM2) 
Yes - NSG10 blocks ICMP from VNet4 (source 10.10.0.0/16) but it is not blocked from VM2 Subnet 
(VNet1/Subnet2). 
No - NSG11 blocks RDP (port TCP 3389) destined for VirtualNetwork. VirtualNetwork is a service 
tag and means the address space of the virtual network (VNet1) which in this case is 10.1.0.0/16. 
Therefore, RDP traffic from subnet2 to anywhere else in VNet1 is blocked. 
Topic 12 - Testlet 7 
Question #1Topic 12 
Introductory Info 
Case Study - Overview - 
Litware, Inc. is a financial company that has a main datacenter in Boston and 20 branch offices 
across the United States. Users have Android, iOS, and Windows 
10 devices. 
 
Existing Environment - 
 
Hybrid Environment - 
The on-premises network contains an Active Directory forest named litwareinc.com that syncs to 
an Azure Active Directory (Azure AD) tenant named litwareinc.com by using Azure AD Connect. 
All offices connect to a virtual network named Vnet1 by using a Site-to-Site VPN connection. 
 
Azure Environment - 
Litware has an Azure subscription named Sub1 that is linked to the litwareinc.com Azure AD 
tenant. Sub1 contains resources in the East US Azure region as shown in the following table. 
 
There is bidirectional peering between Vnet1 and Vnet2. There is bidirectional peering between 
Vnet1 and Vnet3. Currently, Vnet2 and Vnet3 cannot communicate directly. 
 
Requirements - 
 
Business Requirements - 
Litware wants to minimize costs whenever possible, as long as all other requirements are met. 
 
Virtual Networking Requirements - 
Litware identifies the following virtual networking requirements: 
Direct the default route of 0.0.0.0/0 on Vnet2 and Vnet3 to the Boston datacenter over an 
ExpressRoute circuit. 
Ensure that the records in the cloud.litwareinc.com can be resolved from the on-premises 
locations. 
Automatically register the DNS names of Azure virtual machines to the cloud.litwareinc.com zone. 
Minimize the size of the subnets allocated to platform-managed services. 
Allow traffic from VMScaleSet1 to VMScaleSet2 on the TCP port 443 only. 
 
Hybrid Networking Requirements - 
Litware identifies the following hybrid networking requirements: 
Users must be able to connect to Vnet1 by using a Point-to-Site (P2S) VPN when working remotely. 
Connections must be authenticated by Azure AD. 
Latency of the traffic between the Boston datacenter and all the virtual networks must be 
minimized. 
The Boston datacenter must connect to the Azure virtual networks by using an ExpressRoute 
FastPath connection. 
Traffic between Vnet2 and Vnet3 must be routed through Vnet1. 
 
PaaS Networking Requirements - 
Litware identifies the following networking requirements for platform as a service (PaaS): 
The storage1 account must be accessible from all on-premises locations without exposing the 
public endpoint of storage1. 
The storage2 account must be accessible from Vnet2 and Vnet3 without exposing the public 
endpoint of storage2. 
Question 
HOTSPOT - 
You need to restrict traffic from VMScaleSet1 to VMScaleSet2. The solution must meet the virtual 
networking requirements. 
What is the minimum number of custom NSG rules and NSG assignments required? To answer, 
select the appropriate options in the answer area. 
NOTE: Each correct selection is worth one point. 
Hot Area: 
 
Correct Answer: 
 
Box 1: 
Two custom rules 
Rule 1 
Priority port protocol source destination action 
100 443 tcp 192.168.16.0/24 192.168.16.0/24 allow 
Rule 2 
Priority port protocol source destination action 
200 any any 192.168.16.0/24 192.168.16.0/24 deny 
Box 2: One NSG 
All virtual machines in the same scale set are using one NIC, so just associate one NSG to that 
NIC. 
Network Security Groups can be applied directly to a scale set, by adding a reference to the 
network interface configuration section of the scale set virtual machine properties. 
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-
networking#nsg--asgs-per-scale-set 
Topic 13 - Testlet 8 
Question #1Topic 13 
Introductory Info 
Case Study - Overview - 
Litware, Inc. is a financial company that has a main datacenter in Boston and 20 branch offices 
across the United States. Users have Android, iOS, and Windows 
10 devices. 
 
Existing Environment - 
 
Hybrid Environment - 
The on-premises network contains an Active Directory forest named litwareinc.com that syncs to 
an Azure Active Directory (Azure AD) tenant named litwareinc.com by using Azure AD Connect. 
All offices connect to a virtual network named Vnet1 by using a Site-to-Site VPN connection. 
 
Azure Environment - 
Litware has an Azure subscription named Sub1 that is linked to the litwareinc.com Azure AD 
tenant. Sub1 contains resources in the East US Azure region as shown in the following table. 
 
There is bidirectional peering between Vnet1 and Vnet2. There is bidirectional peering between 
Vnet1 and Vnet3. Currently, Vnet2 and Vnet3 cannot communicate directly. 
 
Requirements - 
 
Business Requirements - 
Litware wants to minimize costs whenever possible, as long as all other requirements are met. 
 
Virtual Networking Requirements - 
Litware identifies the following virtual networking requirements: 
Direct the default route of 0.0.0.0/0 on Vnet2 and Vnet3 to the Boston datacenter over an 
ExpressRoute circuit. 
Ensure that the records in thecloud.litwareinc.com can be resolved from the on-premises 
locations. 
Automatically register the DNS names of Azure virtual machines to the cloud.litwareinc.com zone. 
Minimize the size of the subnets allocated to platform-managed services. 
Allow traffic from VMScaleSet1 to VMScaleSet2 on the TCP port 443 only. 
 
Hybrid Networking Requirements - 
Litware identifies the following hybrid networking requirements: 
Users must be able to connect to Vnet1 by using a Point-to-Site (P2S) VPN when working remotely. 
Connections must be authenticated by Azure AD. 
Latency of the traffic between the Boston datacenter and all the virtual networks must be 
minimized. 
The Boston datacenter must connect to the Azure virtual networks by using an ExpressRoute 
FastPath connection. 
Traffic between Vnet2 and Vnet3 must be routed through Vnet1. 
 
PaaS Networking Requirements - 
Litware identifies the following networking requirements for platform as a service (PaaS): 
The storage1 account must be accessible from all on-premises locations without exposing the 
public endpoint of storage1. 
The storage2 account must be accessible from Vnet2 and Vnet3 without exposing the public 
endpoint of storage2. 
Question 
HOTSPOT - 
You need to implement name resolution for the cloud.liwareinc.com. The solution must meet the 
networking requirements. 
What should you do? To answer, select the appropriate options in the answer area. 
NOTE: Each correct selection is worth one point. 
Hot Area: 
 
Correct Answer: 
 
Reference: 
https://docs.microsoft.com/en-us/azure/dns/private-dns-autoregistration 
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-
vms-and-role-instances